Critical severity9.8NVD Advisory· Published Feb 17, 2017· Updated May 13, 2026
CVE-2016-4861
CVE-2016-4861
Description
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zendframework/zendframeworkPackagist | < 1.12.20 | 1.12.20 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- framework.zend.com/security/advisory/ZF2016-03nvdExploitTechnical DescriptionVendor AdvisoryWEB
- jvn.jp/en/jp/JVN18926672/index.htmlnvdThird Party AdvisoryVDB EntryWEB
- jvndb.jvn.jp/jvndb/JVNDB-2016-000158nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-xfjq-w3cw-h5fqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4861ghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/06/msg00012.htmlnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTITghsaWEB
- security.gentoo.org/glsa/201804-10nvdWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/nvd
News mentions
0No linked articles in our index yet.